Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

1.	This action is in response to the application filed on 15 January 2019.
Claims 1-20 are presently pending for examination.

Information Disclosure Statement
2.	The information disclosure statement (IDS) submitted on 01/15/2019, 01/31/2019, 06/03/2019, 10/09/2019, 10/17/2019, 10/23/2019, 11/06/2019, 12/10/2019, 01/08/2020, 04/07/2020, 05/15/2020, 06/02/2020, 06/23/2020 and 06/17/2021 have being considered by the examiner.

Claim Objections
3.	Claims 1, 5 are objected to because of the following informalities:  The limitation “to receive the network traffic it and to perform” in claim 1 line 6 seems grammatically incorrect in particular the bolded word.  Similar claim 5 line 2 contains the phrase “the a”.                   
Appropriate correction is required.

Claim Rejections - 35 USC § 103
4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-9 and 11-20 are rejected under 35 U.S.C. 103 as being unpatentable over Havelka et al., U. S. Patent Publication No. 2017/0295187 in view of O’Connor, U. S. Patent Publication No. 2016/0352772.

Regarding claim 1, Havelka discloses a computing device for detecting malicious domain names in network traffic (see Havelka, Abstract: a security device for monitoring and detecting suspicious domain names is disclosed) the computing device comprises: a communication module configured to receive the network traffic from a data network (see Havelka, ¶ [0023); received network traffic from users are identified for suspicious domain names), a filtering module, configured to connect to the communication module to receive the network traffic it and to perform: extracting a plurality of data packets from the network traffic, analyzing the plurality of data packets in order to extract at least one domain name from the plurality of data packets (see Havelka, ¶ [0016], [0028] and [0076]; filtering component is provided that extracts and analyzes the received network traffic).
Although Havelka discloses the invention substantially as claimed, it does not explicitly disclose an analyzing module, configured to connect to the filtering module to receive 
O’Connor teaches an analyzing module, configured to connect to the filtering module to receive the at least one domain name from analyze each of the at least one domain name using a given set of analysis methods in order to generate, for a given one of the at least one domain names, a given numerical value representative of a suspiciousness of the given one of the at least one domain name, the given numeric value being based on a given set of features of domain name suspiciousness corresponding to one of the given set of analysis methods (see O’Connor, ¶ [0025]-[0026] and [0035]; mechanism for filtering and analyzing the suspicious domain names using various thresholds is provided); a processing module, configured to connect to the analyzing module to receive given set of features of suspiciousness and the given numerical value for the at least one domain name, the processing module being further configured to: classify the 

Regarding claim 2, Havelka-O’Connor teaches wherein the communication module is further configured to connect to at least one of the network traffic capture devices connected to the data network (see Havelka, ¶ [0050] and [0053]).

Regarding claim 3, Havelka-O’Connor teaches wherein the filtering module is further configured to determine if there is an analytical report for each of the at least one domain name (see O’Connor, ¶ [0062]). Same motivation utilized in claim 1 applies equally to claim 3.

Regarding claim 4, Havelka-O’Connor teaches wherein, in response to a presence of the analytical report, the filtering module is further configured to execute: receiving the analytical report, determine a match of each of the at least one domain name to one of the analytical report using a character-by-character comparison of each of the each of 

Regarding claim 5, Havelka-O’Connor teaches wherein, in response to an absence of the analytical report for the a given one of the at least one domain name, the filtering module is further configured to transfer the given one of the least one domain name to the analyzing module (see Havelka, ¶ [0016] and O’Connor, ¶ [0062]). Same motivation utilized in claim 1 applies equally to claim 5.


Regarding claim 6, Havelka-O’Connor teaches wherein, when analyzing the at least one domain names, the analyzing module is configured to execute: determining a number of characters in each of the at least one domain names, comparing a certain number of characters of each of the at least one domain name to a given threshold value of a length of the domain name, generating the given numerical value to a suspiciousness attribute of each of the at least one domain name, based on the comparison of the length of each of the at least one domain name band the given threshold value (see O’Connor, ¶ [0025]-[0026], [0035] and [0072]). Same motivation utilized for claim 1 applies equally as well to claim 6.

Regarding claim 7, Havelka-O’Connor teaches wherein, when analyzing the at least one domain name, the analyzing module is further configured to perform: receiving a set of 

Regarding claim 8, Havelka-O’Connor teaches wherein, when analyzing the at least one domain name, the analyzing module is further configured to perform at least one of: determining a frequency of occurrence of each of a plurality of N-grams in each of the at least one domain name, each N-gram corresponding to a combination of N consecutive characters, determining an entropy of the N-gram of a given one of the at least one domain name as a function of a specific frequency of occurrence of each N-gram in the given one of the at least one domain name, comparing the entropy of the N-gram of the given one of the at least one domain name with a pre-determined threshold value of entropy of the N-gram, updating the given numerical value based on another feature of the domain name suspiciousness, the another feature representing entropy of the given one of the at least one domain name, depending on an outcome of the comparing (see O’Connor, ¶ [0033], [0063] and [0100]). Same motivation utilized for claim 1 applies equally as well to claim 8.

Regarding claim 9, Havelka-O’Connor teaches wherein, when analyzing the at least one domain name, the analyzing module is further configured to perform: receiving data 

Regarding claim 11, Havelka-O’Connor teaches wherein the analyzing module is further configured to update the given set of analysis methods (see Havelka, ¶ [0042]).

Regarding claim 12, Havelka-O’Connor teaches wherein, in response to determining a given domain name as a malicious domain name, the processing module is further configured to execute at least one of: generating a warning message, blocking network traffic from infected devices, generating an analytical report for the malicious domain name (see O’Connor, ¶ [0035]). Same motivation utilized for claim 1 applies equally as well to claim 12.

Regarding claim 13, Havelka-O’Connor teaches wherein the processing module is configured execute at least one previously trained machine-learning algorithm for executing analyzing of the at least one domain name (see O’Connor, ¶ [0021]). Same motivation utilized for claim 1 applies equally as well to claim 13.



Regarding claim 15, Havelka discloses a computing device for analyzing domain names, the computing device comprises: a communication module, configured to receive at least one domain name from at least one source of domain names (see Havelka, ¶ [0023], [0016], [0028] and [0076]; received domain names analyzes the received network traffic received network traffic from users are identified for suspicious domain names).
Although Havelka discloses the invention substantially as claimed, it does not explicitly disclose an analyzing module, configured to connect to the communication module to receive the at least one domain name to analyze each of the at least one domain name using a given set of analysis methods in order to generate a given numerical value to each of a given set of features of a domain name suspiciousness corresponding to one of a given set of analysis methods, for each of the at least one domain name, the given numeric value being based on e results of the analysis using a given one of the set of analysis methods, a processing module, configured to connect to the analyzing module to receive the features of suspiciousness with assigned numerical values for each of the at least one domain name, the processing module being further configured to execute analyzing the features of suspiciousness with assigned numerical values for each of the at least one domain name using the set of analysis methods such that each domain 
O’Connor teaches an analyzing module, configured to connect to the communication module to receive the at least one domain name to analyze each of the at least one domain name using a given set of analysis methods in order to generate a given numerical value to each of a given set of features of a domain name suspiciousness corresponding to one of a given set of analysis methods, for each of the at least one domain name, the given numeric value being based on e results of the analysis using a given one of the set of analysis methods (see O’Connor, ¶ [0025]-[0026] and [0035]; mechanism for filtering and analyzing the suspicious domain names using various thresholds is provided), a processing module, configured to connect to the analyzing module to receive the features of suspiciousness with assigned numerical values for each of the at least one domain name, the processing module being further configured to execute analyzing the features of suspiciousness with assigned numerical values for each of the at least one domain name using the set of analysis methods such that each domain name is classified as malicious domain names, in response to received results of the analysis of features of suspiciousness being characteristic of malicious domain names (see O’Connor, ¶ [0023]-[0024] and [0030]; target domain names are associated with numerical score indicative of their malicious level). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to incorporate the teachings of O’Connor with that of Havelka in order to efficiently detect and distinguish the malicious domain names from normal safe traffic.


Although Havelka discloses the invention substantially as claimed, it does not explicitly disclose generating, for a given one of the at least one domain names, a given numerical value representative of a suspiciousness of the given one of the at least one domain name, the given numeric value being based on a given set of features of domain name suspiciousness corresponding to one of the given set of analysis methods; classifying the at least one domain name as malicious domain names, in response to an analysis of the given set of features of suspiciousness and the given numerical value being indicative of the given set of features of suspiciousness and the numeric value being indicative of malicious domain names.
O’Connor teaches generating, for a given one of the at least one domain names, a given numerical value representative of a suspiciousness of the given one of the at least one domain name, the given numeric value being based on a given set of features of domain name suspiciousness corresponding to one of the given set of analysis methods (see O’Connor, ¶ [0025]-[0026] and [0035]; mechanism for filtering and analyzing the suspicious domain names using various thresholds is provided); classifying the at least 

Regarding claim 17, Havelka-O’Connor teaches wherein the receiving network traffic further comprises connecting, using a communication module, to at least one of the network traffic capture devices that are part of the data network (see Havelka, ¶ [0050] and [0053]).

Regarding claim 18, Havelka-O’Connor teaches wherein, for the at least one domain name, the method further comprises determining whether there is an analytical report for each of the at least one domain name (see O’Connor, ¶ [0062]). Same motivation utilized for claim 16, applies equally as well to claim 18.

Regarding claim 19, Havelka-O’Connor teaches wherein the classifying is executed using a machine learning algorithm (see O’Connor, ¶ [0021]). Same motivation utilized for claim 16, applies equally as well to claim 19

.

5.	Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Havelka in view of O’Connor as applied to claim 1 above, and further in view of Kulkarni et al., U. S. Patent Publication No. 2018/0007070.
Regarding claim 10, although the combination of Havelka-O’Connor disclose wherein, when analyzing the at least one domain names (see Havelka, ¶ [0016]), the analyzing module is further configured to perform: determining and the corresponding one of the words in the language dictionary, comparing a given with a predetermined threshold value; updating the given numerical value based on another feature of the domain name suspiciousness, the another feature representing correctness of spelling of the analyzed domain name, the correctness being determined based on the comparing (see O’Connor, ¶ [0018], [0025]-[0026] and [0035]), they do not explicitly disclose the use of Levenshtein distance between words.
Kulkarni teaches system for detecting malicious using spoofing domain names wherein Levenshtein distance between words utilized to identify similarity between words (see Kulkarni, ¶ [0018]). It would have obvious to one of ordinary skill in the art before the effective filling date of the invention to incorporate the teachings of Kulkarni with that of Havelka-O’Connor in order to efficiently measure the similarity between characters in the suspicious domain names.



Prior Art of Record
6.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Please refer to form PTO-892 (Notice of Reference Cited) for a list of relevant prior art.
1.	Antonakakis et al, (US Patent No. 8631489): A method and system for detecting a malicious domain name, comprising: collecting domain name statistical information from a non-recursive domain name system name server (RDNS NS); and utilizing the collected domain name statistical information to determine if a domain name is malicious or benign.
2.	Zhang et al, (US Patent No. 9749336): Techniques for malware domain detection using passive Domain Name Service (DNS) are disclosed. In some embodiments, malware domain detection using passive DNS includes generating a malware association graph that associates a plurality of malware samples with malware source information, in which the malware source information includes a first domain; generating a reputation score for the first domain using the malware association graph and passive DNS information; and determining whether the first domain is a malware domain based on the reputation score for the first domain.
3.	Krywaniuk (US Patent Publication No. 2010/0095377): Methods and systems for detecting suspicious traffic patterns in electronic communications are provided. According to one embodiment, an electronic mail (email) message is received by a mail .
 
Conclusion
7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMED IBRAHIM whose telephone number is (571)270-1132.  The examiner can normally be reached on Monday through Friday from 9:30AM to 6:00PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on 571-272-3964.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Mohamed Ibrahim/
Primary Examiner, Art Unit 2444